Promotion Trust Security Practices
            
            Last Modified: August 24, 2025
           
          Contents
          
          1. Introduction
          
            Promotion Trust comprehensive security measures include physical and
              online security techniques to monitor and block irregular activity
              (i.e., hackers, automated entries, viruses, etc.) from disrupting your
              sweepstakes, contests, and games. Our advanced security techniques help
              ensure that your promotion will run smoothly, uninterrupted and error
              free. Our protection measures include:
          
          2. Protection for You and Your Promotions
          
            - 
              Legal Support & Indemnification. We stand behind our work. Subject to your Master
              Services Agreement (MSA),
              Promotion Trust will indemnify you for claims arising directly from the services we
                provide related to your promotions, including our drafting, review, and approval of promotion rules and
                marketing materials, and for their compliance with applicable prize promotion laws (unless, of course,
                you disregard our recommendations).
            
            - 
              In over 30 years, we have had
               zero legal challenges 
              to promotions run by Promotion Trust.
            
- 
              We are hands-on experts at creating, running, and
              managing sweepstakes, contests and promotions.
            
- 
              We have run thousands of successful promotions
              since we were founded over 30 years ago.
            
- 
              Promotion Trust provides
                access to licensed attorneys
                  in over 100 countries to help ensure your promotions are legal in every
                country you run them.
            
- 
              We are promotions experts. We understand the complex state, federal
              and international laws that govern sweepstakes and
              we know what it takes to make your promotion a success.
            
3. Data Center Security
          
            - 
              The data collected for your promotions via our Promotions Platform
              are stored on secure servers hosted on the Amazon AWS cloud
              platform, located in Virginia, USA. The AWS cloud security
              infrastructure has been architected to be one of the most flexible
              and secure cloud computing environments available today. It provides
              an extremely scalable, highly reliable platform that enables
              Promotion Trust to deploy high volume promotions quickly and
                securely. For more information on AWS security please visit
                
                  http://aws.amazon.com/security/.
            
- 
              AWS maintains numerous third-party assessments for its infrastructure (e.g., SOC reports, ISO/IEC
              27001/27017/27018, PCI DSS for applicable services). Promotion Trust leverages these
                facilities and
                implements application-level controls appropriate to our services.
            
- 
              These data centers feature biometric access systems, data center
              cages, security cameras, entry/exit audit trails, and are managed
              24/7/365 with onsite security staff.
            
- 
              Our Promotions Platform and websites employ layered DDoS protection.
            
- 
              System access is restricted to authorized personnel and protected by least-privilege role-based access
              control (RBAC), multifactor security, network segmentation, VPNs where appropriate, and firewall rules.
              Access is
              reviewed on a regular basis.
            
4. Data Privacy Measures
          
            - Data is encrypted in transit (HTTPS/TLS 1.2+; TLS 1.3 preferred) and at rest with strong
              industry-standard ciphers and managed keys.
- 
              We do not sell your data or the data you collect with our Promotions
              Platform.
            
- 
              All application traffic, including authentication, occurs over HTTPS (TLS). HTTPS is available and
              enforced on all campaigns hosted by Promotion Trust.
            
- 
              We implement controls to support our Clients' GDPR and other privacy
              obligations (e.g., data minimization, access controls, audit logging, encryption, regional transfer
              mechanisms). Our Sub-Processors are vetted and bound by data protection terms.
            
- 
              Winner Tax Data Controls. Where Clients instruct us to collect winner tax information (e.g.,
              SSN/ITIN/TIN or non-U.S. equivalents) for prize administration and tax reporting, access is strictly
              limited on a need-to-know basis, data is encrypted at rest and in transit, and files are transmitted via
              secure, encrypted channels. Such data is retained only for periods required by applicable tax and
              recordkeeping laws and then securely deleted or irreversibly anonymized (with backups purged on the next
              cycle).
            
- 
              You can learn more about privacy by reviewing our
              
                Privacy Policy.
            
- 
              Visit our list of Sub-Processors to
              learn more.
            
5. Data Loss and Corruption Prevention
          
            - 
              To keep your data safe, each client's data is stored in separate,
              secure databases. Your data is never mixed with other clients' data.
            
- 
              Backups are encrypted and tested on a regular basis.
            
- 
              Promotion Trust technology infrastructure provides enterprise
                scalability, maximum security, and redundancy with firewalls, load
                balanced servers, encrypted database servers, IDS/IPS tools, virus
                protection, and daily backups.
            
- 
              Our promotion systems are monitored 24 hours a day 7 days a week for
              suspicious activity, errors, issues, potential issues, and
              performance.
            
- 
              Physical access controls are in place to protect hard-copy data and
              computer equipment. Operational security procedures are devised to
              minimize the number of storage locations in which personal data is
              held.
            
- 
              Security policies and mechanisms include unique user accounts, disabled shared/guest accounts, RBAC and
              least-privilege access, strong credential standards with MFA, central logging, timely security patching,
              antimalware, firewalls, VPNs, and encryption of personal data during transit and at rest.
            
- 
              Unique user accounts (with strong password requirements) are
              assigned to each user. Access to personal data is limited only to
              user accounts approved to access such data.
            
- 
              A clean desk policy is always maintained by Promotion Trust'
                personnel. All forms of physical personal data such as promotion
                entry forms, tax documents, and entry validations are not left out
                on desks or in open areas when not needed. All confidential
                materials and data are stored in secure locked areas with limited
                access.
            
6. Proper Data Destruction
          
            - 
              We maintain written data retention and destruction procedures covering digital and physical records (e.g.,
              promotion entries, winner lists, validation letters, tax records, mail, long-term storage). We minimize
              confidential data collection and securely destroy data when it is no longer needed or at the end of the
              applicable retention period.
            
- 
              All paper documents containing confidential or personal data are destroyed using cross-cut shredders.
            
- 
              When IT equipment is decommissioned, storage media is securely wiped (cryptographic erase/overwrite) or
              physically destroyed prior to disposal.
            
7. Data Breach Protocols
          
            - 
              Promotion Trust ensures the security of client data and confidential
                information. Our information security incident response process detects,
                responds to, and reports incidents quickly and effectively. Our systems
                help ensure that we minimize losses, address weaknesses, swiftly restore
                system functionality, and maintain business continuity.
            
- 
              Comprehensive chain of custody procedures are followed to protect
              evidence gained during any security incident.
            
- 
              Where we act as a processor, we will notify Clients without undue delay after becoming aware of a
              personal data breach and provide information required to support Client notifications,
              consistent with our DPA.
            
8. Employee Education & Internal Protocols
          
            - 
              Employees that have access to customer data undergo criminal history
              background checks prior to employment.
            
- 
              All employees are required to sign non-disclosure and
              confidentiality agreements.
            
- 
              We provide information and training to our employees regarding
              privacy and security best practices.
            
- 
              Access to systems and data is promptly removed upon role change or separation and verified through
              termination checklists.
            
- 
              To protect our company from a variety of different losses,
              Promotion Trust has established a comprehensive insurance program.
                Coverage includes: coverage for cyber incidents, data privacy
                incidents (including regulatory expenses), general error and
                omission liability coverage, workers compensation, and commercial
                general liability coverage.
            
9. Promotion Specific Protections
          
            - 
              Independent Arbitration & Dispute Resolution.
              Promotion Trust will act as the third-party independent judging organization for
                your promotion. We will interpret the rules and make fair and impartial decisions if issues arise,
                and we will manage any consumer complaints or inquiries. This helps protect you. By designating
                Promotion Trust as the third-party independent judge in the Official Rules of the
                  promotion you, and more importantly your entrants, agree that if an issue or complaint arises,
                  Promotion Trust will decide how best to interpret the rules and proceed. Our role is
                    designed to provide a clear
                    and efficient process for resolving consumer complaints and promoting fairness in your promotion
                    and can help mitigate potential disputes.
            
- 
              Secure Data & Record Keeping. Running a promotion involves strict rules for handling data
              and keeping records. Promotion Trust manages this entire process for you, securely
                storing all promotion data and
                maintaining records in full compliance with applicable laws.
            
- 
              Quality Assurance Testing.Our Quality Assurance
              Engineers perform rigorous testing of your promotion for
              functionality, browser support, stability, security and load.
            
- 
              Entry Restrictions. Consumers can be limited to
              entering the promotion based on any criteria such as email address,
              household, frequency (i.e., once per day), geography (i.e.,
              excluding Florida), age (must be over 18), or any other criteria
              desired.
            
- 
              Child/Minor Participation Controls
              We provide configurable age-gating and (where required) parental consent workflows to help Clients
              address child privacy requirements (e.g., COPPA, CARU). These systems can block child registrations or
              require parental permission
              before children can participate in the promotion.
            
- 
              Data Collection and Tracking. All visitor tracking
              and submission data is collected centrally in a secure, redundant,
              encrypted database.
            
- 
              Duplicate Validation. Players can be restricted
              from entering a promotion multiple times based on any criteria such
              as name, phone number, email address, household, frequency (i.e.,
              once per day), geography (i.e., excluding Florida), age (must be
              over 18) or any other criteria desired. Promotion Trust' advanced
                duplication algorithms make it difficult to thwart duplication
                validation.
            
- 
              Entry Validation. Sweepstakes
              entries are validated to ensure that the information is accurate and
              complete and that all entrants meet the requirements of the Official
              Rules (e.g. entry frequency, geography, age, etc.)
            
- 
              Winner Validation. Promotion winners are validated
              to ensure that their information is accurate and complete and that
              they all meet the requirements of the Official Rules (e.g.
              entry frequency, geography, age, etc.)
            
- 
              Bot Protection. This feature secures your promotion
              entry forms with CAPTCHA challenges and other security techniques to
              block spammers, automated programs, and bots from interfering in
              promotions.
            
- 
              Audit Logs. Promotion Trust maintains complete
                activity logs and audit trails of all entries, validation errors,
                winners, and suspicious activities.
            
- 
              IP Address Blocking. Hackers are blacklisted and
              blocked from disrupting promotions by their IP address.
            
- 
              High Volumes. Our load balanced cloud-based servers
              support extremely large volumes of traffic.
            
- 
              Fault Tolerance.Our cloud-based systems provide
              redundancy for hardware, software, power, and bandwidth.
               
            
            Promotion Trust takes data security and privacy very seriously. While we
              can't reveal everything about our security practices (as it can empower
              the very people we are protecting against), we hope that the information
              provided in this document gives you confidence in the security of our
              promotions and the data that you entrust to us.